Chapter 9 - 04 - Application Security Testing Techniques and Tools - 01_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Exam 212-82 Application Security Module Flow Understand Secure...

Certified Cybersecurity Technician Exam 212-82 Application Security Module Flow Understand Secure Understand Secure Application Design and Application, Development, Arxchitecture o i 9 Deployment, and Automation v RT FLCETT T TIE \ Understand Software Application Security Security Standards, Models, 9 ( o Testing Techniques and and Frameworks Tools Copyright © by EC: Al Rights Reserved. Reproduction is Strictly Prohibited Application Security Testing Techniques and Tools The primary objective of application security testing is to detect flaws or vulnerabilities associated with source code. Application security testing techniques and tools assist developers in detecting all the potential security weaknesses and in making changes to the code to fix the weaknesses. This section discusses various application security testing techniques and tools. Module 09 Page 1188 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Static Application Security Testing (SAST) SAST, also known as It should be performed secure code review, is one of toward the end of the source the software security code development when assurance approach to identify application code is stable or security-related weaknesses nearly completed in the code It involves detailed systematic inspection of source code to detect O @ < o Security professionals use tools such as Coverity Static Application Security Testing, vulnerabilities and design Appknox, AttackFlow, etc. to flaws perform SAST Static Application Security Testing (SAST) SAST, also known as secure code review, is one of the software security assurance approach to identify security-related weaknesses in the code. It involves detailed systematic inspection of source code to detect vulnerabilities and design flaws. It should be performed toward the end of the source code development when application code is stable or nearly completed. It should always be performed in combination with human effort (Manual) and technology support (Automated). SAST aims to detect application security vulnerabilities and their root causes when code is not running. SAST tools assist developers in testing the source code to discover and report design flaws associated with the application, which can open doors for various attacks. It also ensures that the source code is compliant with defined rules, standards, and guidelines. Security professionals use tools such as Coverity Static Application Security Testing, Appknox, AttackFlow, bugScout, and PT Application Inspector, to perform SAST. Module 09 Page 1189 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security »| Types of SAST - Automated Source Code Analysis Manual Source Code Review » Itis also known as Static Code Analysis 7» Itinvolves manually inspecting the (scAa) (SCA) source code line by line to detect any ~ ~-. defects and security related flaws >» It uses certain source code analysis tool to scan the code and report potential flaws Types of SAST = Automated source code analysis It is also known as Static Code Analysis (SCA). It uses certain source code analysis tool to scan the code and report potential flaws. = Manual Manual source code review It involves manually inspecting the source code line by line to detect any defects and security related flaws. Module 09 Page 1190 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security S Dynamic Application Dynamic Application A% Securi ty Testin Security g (DAST) Testing 4 DAST is a security testing technique which involves simulating attacks against the application and analyzes how the application behaves The application is tested dynamically from the outside when application is running DAST is generally performed by the penetration testers or security practitioners on a working system in pre-production, a test environment, or even in production Security professionals use tools such as Netsparker, Acunetix Vulnerability Scanner, HCL AppScan, etc. to perform DAST These scanners believe in fuzzing the application inputs with attack payloads in order to detect security weaknesses Dynamic Application Security Testing (DAST) DAST is a security testing technique which involves simulating attacks against the application and analyzes how the application behaves. The application is tested dynamically from the outside when application is running. DAST is generally performed by the penetration testers or security practitioners on a working system in pre-production, a test environment, or even in production. These individuals typically uses automated web application vulnerability scanners to conduct DAST. These scanners believe in fuzzing the application inputs with attack payloads in order to detect security weaknesses. DAST tools execute on running code to identify issues related to interfaces, requests/responses, sessions, scripts, authentication processes, code injections, etc. Security professionals use tools such as Netsparker, Acunetix Vulnerability Scanner, HCL AppScan, Micro Focus Fortify on Demand, and Appknox, to perform DAST. Module 09 Page 1191 Certified Cybersecurity Technician Copyright © by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security Types of DAST Automated Application Vulnerability Manual Application Security Scanning Testing 0O O Security tester uses classic application O Security tester uses proxy-based security security scanners to scan the web testing tools to craft and send request application for vulnerabilities manually and analyze the responses from the application Types of DAST = Automated Application Vulnerability Scanning Security tester uses classic application security scanners to scan the web application for vulnerabilities. = Manual Application Security Testing Security tester uses proxy-based security testing tools to craft and send request manually and analyze the responses from the application. Module 09 Page 1192 Certified Cybersecurity Technician Copyright ©© by EC-Council EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Exam 212-82 Application Security SAST vs DAST S By, ~Arbd 44 L m p‘f()hfi White box security testing Black box security testing Requires a source code Requires a running application Finds vulnerability earlier in SDLC Finds the vulnerability towards the end of SDLC Less expensive to fix vulnerability More expensive to fix vulnerability Runtime and environment related Runtime and environment related issues can be issues can’t be discovered discovered Typically supports all kinds of Typically scans only apps like web application and software web services SAST vs DAST The table given below summarizes the differences between SAST and DAST: SAST DAST White box security testing Black box security testing Requires a source code Requires a running application Finds vulnerability earlier in SDLC Finds the vulnerability towards the end of SDLC Less expensive to fix vulnerability More expensive to fix vulnerability Runtime and environment related issues Runtime and environment related issues can be can’t be discovered discovered Typically scans only apps like web application Typically supports all kinds of software ypicaily supp ! w and web services Table 9.2: SAST vs DAST Module 09 Page 1193 Certified Cybersecurity Technician Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited.

Use Quizgecko on...
Browser
Browser